Economics at your fingertips  

The Next Generation of Scientific-Based Risk Metrics: Measuring Cyber Maturity

Lanier Watkins and John S. Hurley
Additional contact information
Lanier Watkins: Johns Hopkins University Information Security Institution, Baltimore, MD, USA
John S. Hurley: National Defense University, Washington D.C., USA

International Journal of Cyber Warfare and Terrorism (IJCWT), 2016, vol. 6, issue 3, 43-52

Abstract: One of the major challenges to an organization achieving a certain level of preparedness to “effectively†combat existing and future cyber threats and vulnerabilities is its ability to ensure the security and reliability of its networks. Most of the existing efforts are quantitative, by nature, and limited solely to the networks and systems of the organization. It would be unfair to not acknowledge that for sure some progress has been achieved in the way that organizations, as a whole, are now positioning themselves to address the threats (GAO 2012). Unfortunately, so have the skill sets and resource levels improved for attackers--they are increasingly getting better at achieving the unwanted access to organizations' information assets. In large part the authors believe that some of this is due to the failure by methods to assess the overall vulnerability of the networks. In addition, significant levels of threats and vulnerabilities beyond organizations' networks and systems are not being given the level of attention that is warranted. In this paper, the authors propose a more comprehensive approach that enables an organization to more realistically assess its “cyber maturity†level in hope of better positioning itself to address existing and new cyber threats. The authors also propose the need to better understand another missing critical piece to the puzzle--the reliability and security of networks in terms of scientific risk-based metrics (e.g., the severity of individual vulnerabilities and overall vulnerability of the network). Their risk-based metrics focus on the probability of compromise due to a given vulnerability; employee non-adherence to company cyber-based policies; insider threats. They are: (1) built on the CVSS Base Score which is modified by developing weights derived from the Analytic Hierarchy Process (AHP) to make the overall score more representative of the impact the vulnerability has on the global infrastructure, and (2) rooted in repeatable quantitative characteristics (i.e., vulnerabilities) such as the sum of the probabilities that devices will be compromised via client-side or server-side attacks stemming from software or hardware vulnerabilities. The authors will demonstrate the feasibility of their method by applying their approach to a case study and highlighting the benefits and impediments which result.

Date: 2016
References: Add references at CitEc
Citations: Track citations by RSS feed

Downloads: (external link) ... 018/IJCWT.2016070104 (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link:

Access Statistics for this article

More articles in International Journal of Cyber Warfare and Terrorism (IJCWT) from IGI Global
Bibliographic data for series maintained by Journal Editor ().

Page updated 2019-11-24
Handle: RePEc:igg:jcwt00:v:6:y:2016:i:3:p:43-52